NIS 2005 Intrusion Detection Alert with AS2004.5

[jeffhunter 0]

Hi Guys,Thank you for the update.Unfortunately, since installing it, I've had some real problems with NIS2005. The boffins at symantec have managed to make ccapp.exe unstoppable, so that the only option is to disable nis, with a significant memory penalty. If I don't I get a repeated warning that AS is attempting to connect to the internet. Even if I say it's ok, I get another warning in about 20 seconds. Aaaaarghhh!!My drama is this. NIS refuses to let me tell it that AS2004.5 is OK to connect to the 'net. If I disable my firewall, I get an alert telling me that an attempt was made to connect to my computer using a method characteristic of the MS_RPC_DCOM_BUFFER_OVERFLOW attack. two of the IP address were 147.10.106.131 and 146.10.125.92.I'm reluctant to tell NIS that these addresses are trusted unless I know that they are from you guys.I've emailed Symantec, with predictably useless support, suggesting that I do all the bleeding obvious.Any ideas gratefully received.Thanks,Jeff

[Damian Clark 1,235]

Hi Jeff,I am not familiar with Symantec's NIS firewall. Those IP addresses are not ours, but they could easily be mid-point routing nodes and a byproduct of the AS2004.5 server connection attempt. Not sure.Why can AS2004.5 not be configured as a trusted app? Is there a "learn" mode of NIS which allows you to temporarily "watch" what an app does to make sure all its components are correctly accounted for? Many firewall apps have such feature.Anyone else running NIS that might be able to help? Sorry Jeff I don't have any other ideas!

[Hakkie 0]

Jeff, I would first remove the (all, if more than 1 exists) AS2004 entry from NIS database. You can do this in the 'Configure' option of the firewall. It shows a list of all applications that have been registered in NIS, either automatically by Symantec rules or approved by you. Once AS2004 is removed, try downloading weather again. NIS should ask you if AS2004 is to be trusted. Answer 'yes' and select the option that NIS will not ask again.I'm using F-Secure at the moment, but have been using NIS before. So I'm not sure about the actual wordings/texts being used in NIS.